--cap-drop=ALL --cap-add=<必要的capability>
bash
# 生成CA和密钥
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
# 创建服务器密钥
openssl genrsa -out server-key.pem 4096
# 生成证书签名请求
openssl req -subj "/CN=<your-host>" -sha256 -new -key server-key.pem -out server.csr
# 签署公钥
echo subjectAltName = DNS:<your-host>,IP:127.0.0.1 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
bash
dockerd --userns-remap=default
dockerfile
USER 1000
或运行时指定:
bash
docker run -u 1000:1000 <image>
bash
docker run --read-only <image>
bash
docker run --memory=512m --cpus=1.5 <image>
bash
trivy image <image-name>
bash
anchore-cli image add <image-name>
anchore-cli image wait <image-name>
anchore-cli image vuln <image-name> all
bash
snyk test --docker <image-name> --file=Dockerfile
bash
falco -r /etc/falco/falco_rules.yaml
bash
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh
bash
lynis audit docker
export DOCKER_CONTENT_TRUST=1
--icc=false
--privileged
通过以上配置和工具的组合使用,可以显著提高Docker环境的安全性,降低潜在风险。